Things needing root...

[bdunne]

• Fleecing RHEV moved to Redesign fleecing of RHV/oVirt for podified environment #596
• Backup / Restore (Scheduled tasks)
• PXE provisioning
• External Authentication

[fbladilo]

@bdunne One note, we would not need Backup/Restore scheduled tasks on podified if we go with OpenShift scheduled jobs for these tasks in the future, which are actually non-root jobs (restricted pods).

[bdunne]

@fbladilo I agree, we should leverage the work you did for backup / restore when in a container. I created the issue mostly to point out places in the application that we need to hide or remove completely because they won't work if we run without root.

[bazulay]

@bdunne

• Fleecing RHEV - what part of Fleecing requires root ? I assume it is only the mount part ?

• PXE provisioning - I was not aware manageiq also controls a tftp server ? or did I get it wrong ?

[bdunne]

@bazulay Yes, both of those use mount.

• Fleecing RHEV will either mount the NFS share or activate the LVM VG and start reading from that.
• PXE provisioning mounts the NFS share to read and write PXE files.

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

[carbonin]

Adding pinned label. This is definitely a thing we still need to look at.

Although I think we have backup/restore worked out. Will change the original post to a checklist and check that off.

[carbonin]

How do we want to proceed with this particular issue @Fryguy @chessbyte?

First I'd like to test out if these features even work with root and second how long do we really think we can go with requesting additional permissions in OpenShift? At some point, does it make sense to just try running without root in pods and see what bugs pop up?

At that point we can decide of those features can just be disabled entirely in pods or if we really need to go back to running with root.

[carbonin]

And to that point, if we're continuing to support both appliance and pods long term we should probably work out a better way to deal with the arch differences than gating a bunch of calls with unless MiqEnvironment::Command.is_podified? in the source. Especially if we need to change the UI in response to where we're running.

[carbonin]

Checked off external auth here as we have the split httpd images to handle the cases where auth doesn't require sssd/dbus to operate. I don't think we'll ever get those to run without root.

[bdunne]

Switching to RPMs pulls in nfs-utils which should be enough to check off PXE provisioning.

[bdunne]

Fleecing RHEV/oVirt has issues requiring redesign that would not be solved just by having root user privileges, opened #596 instead.